Easy To Manage Logo

Information Security Policy

Information Security Policy

Easy To Manage LLC (ETM)

Effective Date: 05/01/2024

Review Cycle: Annually or as needed

 

1. Purpose

This policy outlines ETM’s approach to protecting company systems, employee credentials, and client-related data handled during business operations.

2. Scope

This policy applies to all employees, contractors, and vendors who access ETM’s systems, tools, or information.

3. Key Principles

**Data Classification and Handling**
- ETM classifies data into tiers: public, internal, confidential, and personally identifiable information (PII).
- PII must never be stored or transmitted without encryption.
- Use of PII in email, screen sharing, or file transfers must be secured using approved tools.

a. Data Handling

- All data is processed via secure, encrypted channels (e.g., HTTPS, SFTP, or VPN).

- Temporary data access (e.g., logs, metadata) is limited, access-controlled, and purged regularly.

b. Access Control

- Access is granted based on least privilege.

- SSO and MFA are required for all systems with sensitive access.

- Employee access is reviewed quarterly and revoked immediately upon role change or departure.

c. Endpoint Security

- All company devices must have:
  - Full disk encryption enabled
  - Auto-lock and password protection
  - Up-to-date antivirus and endpoint monitoring

- Employees must report lost or compromised devices immediately.

d. Vendor & Tool Use

- All third-party tools must be reviewed for security posture before adoption.

- Data processors must support encryption, access logging, and strong authentication.

e. Incident Response

- All security incidents must be addressed as per our internal Incident Response Policy.

f. Employee Practices

- Security training is required upon onboarding and refreshed annually.

- Phishing simulations or awareness emails are sent periodically.

- Passwords must be managed using an approved password manager (e.g., 1Password).

4. Compliance & Review

**Breach Notification**
- Any confirmed data breach affecting PII must be reported to relevant stakeholders within 72 hours.
- Notification to affected users must include scope, impact, and remediation steps.

**Data Subject Rights**
- ETM honors data subject rights, including access, correction, and deletion of personal information.
- Requests will be fulfilled within 30 days by the designated privacy contact.

**Data Retention & Deletion**
- PII is retained only for the minimum period necessary to fulfill business or legal obligations.
- Secure deletion practices must be followed, and deletion activities should be auditable.

**Logging and Monitoring**
- All systems handling PII must log access and activity.
- Logs must be retained for 12 months and reviewed periodically.

**Privacy Oversight**
- A designated Privacy Lead or Data Protection Officer oversees compliance with privacy obligations.

- Policy compliance is monitored by the ETM Security Team.

Related Policies: For handling of personal data (including employee and internal PII), refer to the Internal Personal Data Protection Policy, maintained by ETM’s DPO.

- This policy is reviewed annually and updated as needed to reflect changes in risk, operations, or regulations.